[TON-XXX] Add EventBridge permissions for automated Agent installation on cloud resources

aws_quickstart/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 4.8.0 (April 7, 2026)
+
+- Add `InstallAgentOnCloudResources` parameter to enable automated Datadog Agent installation on EKS clusters, EC2 instances, and ECS clusters via EventBridge. When enabled, grants Datadog's backend IAM permissions to create and manage EventBridge rules in each active AWS region using the existing cross-account integration role.
+
 # 4.7.3 (March 23, 2026)
 
 - Send Lambda log forwarder ARN back in the `stack_complete` workflow status payload so Datadog can register the deployed forwarder with the AWS integration automatically

aws_quickstart/datadog_integration_role.yaml

@@ -23,11 +23,21 @@ Parameters:
       Datadog AWS account ID allowed to assume the integration IAM role. DO NOT CHANGE!
     Type: String
     Default: "464622532012"
+  InstallAgentOnCloudResources:
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
 Conditions:
   ShouldInstallSecurityAuditPolicy:
     Fn::Equals:
       - Ref: ResourceCollectionPermissions
       - true
+  AgentOnCloudResources:
+    Fn::Equals:
+      - !Ref InstallAgentOnCloudResources
+      - "true"
 Resources:
   DatadogIntegrationRole:
     Type: "AWS::IAM::Role"
@@ -61,6 +71,67 @@ Resources:
           [!Sub "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit"],
           !Ref AWS::NoValue,
         ]
+  DatadogEventBridgeInvocationRole:
+    Type: AWS::IAM::Role
+    Condition: AgentOnCloudResources
+    Properties:
+      RoleName: datadog-eventbridge-invocation-role
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: InvokeDatadogApiDestination
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: events:InvokeApiDestination
+                Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/datadog-*"
+
+  DatadogAgentInstallEventBridgePolicy:
+    Type: AWS::IAM::Policy
+    Condition: AgentOnCloudResources
+    DependsOn: DatadogEventBridgeInvocationRole
+    Properties:
+      PolicyName: DatadogAgentInstallEventBridgePolicy
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - events:PutRule
+              - events:PutTargets
+              - events:DeleteRule
+              - events:RemoveTargets
+              - events:DescribeRule
+              - events:ListTargetsByRule
+              - events:CreateConnection
+              - events:UpdateConnection
+              - events:DeleteConnection
+              - events:DescribeConnection
+              - events:CreateApiDestination
+              - events:UpdateApiDestination
+              - events:DeleteApiDestination
+              - events:DescribeApiDestination
+            Resource:
+              - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:rule/datadog-*"
+              - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:connection/datadog-*"
+              - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/datadog-*"
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource:
+              - !GetAtt DatadogEventBridgeInvocationRole.Arn
+            Condition:
+              StringEquals:
+                iam:PassedToService: events.amazonaws.com
+
   DatadogAttachIntegrationPermissionsLambdaExecutionRole:
     Type: AWS::IAM::Role
     Properties:

aws_quickstart/main_extended_workflow.yaml

@@ -62,6 +62,16 @@ Parameters:
       or send logs using AWS PrivateLink should select "no" and install this independently
       (https://docs.datadoghq.com/serverless/libraries_integrations/forwarder/#installation).
     Default: true
+  InstallAgentOnCloudResources:
+    Type: String
+    AllowedValues:
+      - true
+      - false
+    Description: >-
+      Automatically install and manage the Datadog Agent on EKS clusters,
+      EC2 instances, and ECS clusters. Datadog will monitor CloudTrail events
+      and install the Agent on resources matching rules configured in Datadog.
+    Default: false
   DisableMetricCollection:
     Type: String
     AllowedValues:
@@ -460,6 +470,7 @@ Resources:
             - !FindInMap [DdAccountIdBySite, "ddog-gov.com", AccountIdGovCloud]
             - !FindInMap [DdAccountIdBySite, "ddog-gov.com", AccountId]
           - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
+        InstallAgentOnCloudResources: !Ref InstallAgentOnCloudResources
 
   # Step 3: Notify IAM role creation finished
   NotifyIAMRoleCreationFinished:

aws_quickstart/version.txt

@@ -1 +1 @@
-v4.7.4
+v4.8.0